[Opendnssec-user] ods-signer - create_dnskey stderr: Error initializing libhsm

Laurent Bauer l.bauer at mailclub.fr
Thu Nov 4 16:44:26 UTC 2010 

	Hello,

I am getting started with opendnssec (version 1.1.0) with the default setup.
I initialized SoftHSM, configured the token label and PIN in conf.xml,
copied a test zone file in /var/lib/opendnssec/unsigned/, added the zone
with "ods-ksmutil zone -z demo-serveur.fr -p default", started the
enforcer and signer daemons, and tried to sign the zone with ods-signer.

4 keys were generated but the signer fails with "create_dnskey stderr:
Error initializing libhsm". I could not find what the "status: 3" was
about (see the log below), could anyone help me fix that ?

Here are some infos about my current setup :

# softhsm --show-slots
Available slots:
Slot 0
           Token present: yes
           Token initialized: yes
           User PIN initialized: yes
           Token label: Mailclub

# ods-ksmutil zone list
zonelist filename set to /etc/opendnssec/zonelist.xml.
Found Zone: demo-serveur.fr; on policy default

# ods-ksmutil key list --verbose
SQLite database set to: /var/lib/opendnssec/db/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next
transition:  CKA_ID:                           Repository:
         Keytag:
demo-serveur.fr                 KSK           publish   2010-11-05
05:22:05       4b4c987253a6545d36f0600d5bbebd33  SoftHSM
           55243
demo-serveur.fr                 KSK           dssub     waiting for
ds-seen       52bd18c3836e9c26b19673bef0d9c33d  SoftHSM
          50356
demo-serveur.fr                 ZSK           active    2010-12-04
15:22:05       165c52bfcedc26fffa8d5f0a7e05f5f8  SoftHSM
           28439
demo-serveur.fr                 ZSK           publish   2010-11-05
05:22:05       1c6cc30e6f05b653ddaa894014e25fed  SoftHSM
           53942

And here is the syslog (same error repeated with all 4 keys) :

ods-signerd: Run command: '/usr/lib/opendnssec/opendnssec/get_serial -f
/var/lib/opendnssec/unsigned/demo-serveur.fr'
ods-signerd: Sorting zone: demo-serveur.fr
ods-signerd: Run command: '/usr/lib/opendnssec/opendnssec/quicksorter -o
demo-serveur.fr. -f /var/lib/opendnssec/unsigned/demo-serveur.fr -w
/var/lib/opendnssec/tmp/demo-serveur.fr.sorted -m 3600 -t 3600'
ods-signerd: Done sorting
ods-signerd: Nseccing zone: demo-serveur.fr
ods-signerd: No information yet for key 4b4c987253a6545d36f0600d5bbebd33
ods-signerd: Generating DNSKEY RR for 4b4c987253a6545d36f0600d5bbebd33
ods-signerd: Run command: '/usr/lib/opendnssec/opendnssec/get_class -f
/var/lib/opendnssec/tmp/demo-serveur.fr.sorted'
ods-signerd: create_dnskey stderr: Error initializing libhsm
ods-signerd: create_dnskey status: 3
ods-signerd: equality: False
ods-signerd: Error: could not find key 4b4c987253a6545d36f0600d5bbebd33

I could not find any information except "return(3)" after "hsm_open()"
in the source code, and don't know what to check next.
I don't understand why the enforcer was able to open the hsm (obviously
the keys were created) but the signer was not. Do they not share the
same conf.xml ?

I am running Ubuntu 10.10 (the production server will hopefully be
running a Debian but I don't have it yet).

Any advice is welcome.
Thanks !

	Laurent

More information about the Opendnssec-user mailing list